Active access monitoring for safer computing environments and systems

ABSTRACT

Techniques for controlling access are disclosed. The techniques can be used for reference monitoring in various computing systems (e.g., computing device) including those that may be relatively more susceptible to threats (e.g., mobile phones). Allowed access can be disallowed. In other words, permission to access a component can be effectively withdrawn even though access may be on-going. After permission to access a component has been allowed, one or more disallow access conditions or events can be effectively monitored in order to determine whether to withdraw the permission to access the component. As a result, allowed access to the component can be disallowed. Access can be disallowed by effectively considering the behavior of a component in the aggregate and/or over a determined amount of time. By way of example, a messaging application can be disallowed access to a communication port if the messaging application sends more messages than an acceptable limit during a session or in 4 hours. Disallow-access policies, rules and/or conditions can be defined and modified, for example, by end-users and system administrators, allowing a customizable and flexible security environment that is more adaptable to change.

BACKGROUND OF THE INVENTION

Conceptually, a computing system (e.g., a computing device, a personalcomputer, a laptop, a Smartphone, a mobile phone) can accept information(content or data) and manipulate it to obtain or determine a resultbased on a sequence of instructions (or a computer program) thateffectively describes how to process the information. Typically, theinformation is stored in a computer readable medium in a digital orbinary form. More complex computing systems can store content includingthe computer program itself. A computer program may be invariable and/orbuilt into, for example a computer (or computing) device as logiccircuitry provided on microprocessors or computer chips. Today, generalpurpose computers can have both kinds of programming. A computing systemcan also have a support system which, among other things, managesvarious resources (e.g., memory, peripheral devices) and services (e.g.,basic functions such as opening files) and allows the resources to beshared among multiple programs. One such support system is generallyknown and an Operating System (OS) which provides programmers with aninterface used to access these resources and services.

Today, numerous types of computing devices are available. Thesecomputing devices widely range with respect to size, cost, amount ofstorage and processing power. The computing devices that are availabletoday include: expensive and powerful servers, relatively cheaperPersonal Computers (PC's) and laptops and yet less expensivemicroprocessors (or computer chips) provided in storage devices,automobiles, and household electronic appliances.

In recent years, computing systems have become more portable and mobile.As a result, various mobile and handheld devices have been madeavailable. By way of example, wireless phones, media players, PersonalDigital Assistants (PDA's) are widely used today. Generally, a mobile ora handheld device (also known as handheld computer or simply handheld)can be a pocket-sized computing device, typically utilizing a smallvisual display screen for user output and a miniaturized keyboard foruser input. In the case of a Personal Digital Assistant (PDA), the inputand output can be combined into a touch-screen interface.

In particular, mobile communication devices (e.g., mobile phones) havebecome extremely popular. Some mobile communication devices (e.g.,Smartphones) offer computing environments that are similar to thatprovided by a Personal Computer (PC). As such, a Smartphone caneffectively provide a complete operating system as a standardizedinterface and platform for application developers. Given the popularityof mobile communication devices, telecommunication is discussed ingreater detail below.

Generally, telecommunication refers to assisted transmission of signalsover a distance for the purpose of communication. In earlier times, thismay have involved the use of smoke signals, drums, semaphore orheliograph. In modern times, telecommunication typically involves theuse of electronic transmitters such as the telephone, television, radioor computer. Early inventors in the field of telecommunication includeAlexander Graham Bell, Guglielmo Marconi and John Logie Baird.Telecommunication is an important part of the world economy and thetelecommunication industry's revenue is placed at just under 3 percentof the gross world product.

Conventional telephones have been in use for many years. The firsttelephones had no network but were in private use, wired together inpairs. Users who wanted to talk to different people had as manytelephones as necessary for the purpose. Typically, a person who wishedto speak, whistled into the transmitter until the other party heard.Shortly thereafter, a bell was added for signaling, and then a switchhook, and telephones took advantage of the exchange principle alreadyemployed in telegraph networks. Each telephone was wired to a localtelephone exchange, and the exchanges were wired together with trunks.Networks were connected together in a hierarchical manner until theyspanned cities, countries, continents and oceans. This can be consideredthe beginning of the public switched telephone network (PSTN) though theterm was unknown for many decades.

Public switched telephone network (PSTN) is the network of the world'spublic circuit-switched telephone networks, in much the same way thatthe Internet is the network of the world's public IP-basedpacket-switched networks. Originally a network of fixed-line analogtelephone systems, the PSTN is now almost entirely digital, and nowincludes mobile as well as fixed telephones. The PSTN is largelygoverned by technical standards created by the ITU-T, and usesE.163/E.164 addresses (known more commonly as telephone numbers) foraddressing.

More recently, wireless networks have been developed. While the termwireless network may technically be used to refer to any type of networkthat is wireless, the term is often commonly used to refer to atelecommunications network whose interconnections between nodes isimplemented without the use of wires, such as a computer network (whichis a type of communications network). Wireless telecommunicationsnetworks can, for example, be implemented with some type of remoteinformation transmission system that uses electromagnetic waves, such asradio waves, for the carrier and this implementation usually takes placeat the physical level or “layer” of the network (e.g., the PhysicalLayer of the OSI Model). One type of wireless network is a WLAN orWireless Local Area Network. Similar to other wireless devices, it usesradio instead of wires to transmit data back and forth between computerson the same network. Wi-Fi is a commonly used wireless network incomputer systems which enable connection to the internet or othermachines that have Wi-Fi functionalities. Wi-Fi networks broadcast radiowaves that can be picked up by Wi-Fi receivers that are attached todifferent computers or mobile phones. Fixed wireless data is a type ofwireless data network that can be used to connect two or more buildingstogether in order to extend or share the network bandwidth withoutphysically wiring the buildings together. Wireless MAN is another typeof wireless network that connects several Wireless LANs.

Today, several mobile networks are in use. One example is the GlobalSystem for Mobile Communications (GSM) which is divided into three majorsystems which are the switching system, the base station system, and theoperation and support system (Global System for Mobile Communication(GSM)). A cell phone can connect to the base system station which thenconnects to the operation and support station; it can then connect tothe switching station where the call is transferred where it needs to go(Global System for Mobile Communication (GSM)). This is used forcellular phones and common standard for a majority of cellularproviders. Personal Communications Service (PCS): PCS is a radio bandthat can be used by mobile phones in North America. Sprint happened tobe the first service to set up a PCS. Digital Advanced Mobile PhoneService (D-AMPS) is an upgraded version of AMPS but it may be phased outas the newer GSM networks are replacing the older system.

Yet another example is the General Packet Radio Service (GPRS) which isa Mobile Data Service available to users of Global System for MobileCommunications (GSM) and IS-136 mobile phones. GPRS data transfer istypically charged per kilobyte of transferred data, while datacommunication via traditional circuit switching is billed per minute ofconnection time, independent of whether the user has actuallytransferred data or has been in an idle state. GPRS can be used forservices such as Wireless Application Protocol (WAP) access, ShortMessage Service (SMS), Multimedia Messaging Service (MMS), and forInternet communication services such as email and World Wide Web access.2G cellular systems combined with GPRS is often described as “2.5G”,that is, a technology between the second (2G) and third (3G) generationsof mobile telephony. It provides moderate speed data transfer, by usingunused Time Division Multiple Access (TDMA) channels in, for example,the GSM system. Originally there was some thought to extend GPRS tocover other standards, but instead those networks are being converted touse the GSM standard, so that GSM is the only kind of network where GPRSis in use. GPRS is integrated into GSM Release 97 and newer releases. Itwas originally standardized by European Telecommunications StandardsInstitute (ETSI), but now by the 3rd Generation Partnership Project(3GPP). W-CDMA (Wideband Code Division Multiple Access) is a type of 3Gcellular network. W-CDMA is the higher speed transmission protocol usedin the Japanese FOMA system and in the UMTS system, a third generationfollow-on to the 2G GSM networks deployed worldwide. More technically,W-CDMA is a wideband spread-spectrum mobile air interface that utilizesthe direct sequence Code Division Multiple Access signaling method (orCDMA) to achieve higher speeds and support more users compared to theimplementation of time division multiplexing (TDMA) used by 2G GSMnetworks. It should be noted that SMS can be supported by GSM and MMScan be supported by 2.5G/3G networks.

Generally, a mobile phone or cell phone can be a long-range, portableelectronic device used for mobile communication. In addition to thestandard voice function of a telephone, current mobile phones cansupport many additional services such as SMS for text messaging, email,packet switching for access to the Internet, and MMS for sending andreceiving photos and video. Most current mobile phones connect to acellular network of base stations (cell sites), which is in turninterconnected to the public switched telephone network (PSTN) (oneexception is satellite phones).

The Short Message Service (SMS), often called text messaging, is a meansof sending short messages to and from mobile phones. SMS was originallydefined as part of the GSM series of standards in 1985 as a means ofsending messages of up to 160 characters, to and from Global System forMobile communications (GSM) mobile handsets. Since then, support for theservice has expanded to include alternative mobile standards such asANSI CDMA networks and Digital AMPS, satellite and landline networks.Most SMS messages are mobile-to-mobile text messages, though thestandard supports other types of broadcast messaging as well. The termSMS is frequently used in a non-technical sense to refer to the textmessages themselves, particularly in non-English-speaking Europeancountries where the GSM system is well-established.

Multimedia Messaging Service (MMS) is a relatively more modern standardfor telephony messaging systems that allows sending messages thatinclude multimedia objects (images, audio, video, rich text) and notjust text as in Short Message Service (SMS). It can be deployed incellular networks along with other messaging systems like SMS, MobileInstant Messaging and Mobile E-mal. Its main standardization effort isdone by 3GPP, 3GPP2 and Ope Mobile Alliance (OMA).

The popularity of computing systems, especially mobile communicationdevices, is evidenced by their ever increasing use in everyday life.Accordingly, techniques the can improve the safety of computing systems,especially mobile communication devices, would be very useful.

SUMMARY OF THE INVENTION

Broadly speaking, the invention relates to computing environments and/orcomputing systems. More particularly, the invention pertains to improvedtechniques for controlling access in computing environments and/orcomputing systems.

It will be appreciated that the techniques, among other things, can beused for reference monitoring in various computing systems (e.g.,computing device) including those that may be relatively moresusceptible to threats (e.g., mobile phones).

In accordance with one aspect of the invention, it can be determined todisallow access that has been allowed (allowed access). Consequently,allowed access can be disallowed. In other words, permission to access acomponent can be effectively withdrawn even though access may beon-going. This means that a granted access privilege of a firstcomponent (e.g., an application program) to a second (accessible)component (e.g., a system resource) may be effectively terminated. Inaccordance with one embodiment of the invention, one or more“disallow-access” conditions (or criteria) can be considered indetermining whether to disallow allowed access. Generally, a“disallow-access” condition, rule, and/or policy can be an accesscondition (or criteria) or defined based on an access condition. It willbe appreciated that a disallow-access condition can be explicitlydefined and/or can be different that an “allow-access” condition used todetermine whether to grant permission to access. However, a set ofgeneral access condition can effectively serve as both allow-access anddisallow access where, for example, violation of an allow-accesscondition can result in disallowance of access. In another embodiment,after permission to access a component has been allowed, one or moredisallow access conditions or events can be effectively monitored inorder to determine whether to withdraw the permission to access thecomponent. As a result, allowed access to the component can bedisallowed.

In accordance with a related aspect of the invention, allowed access toa component of a computing environment and/or computing system can bedisallowed based on one or more “states.” Those skilled in the art willappreciate that a state can, for example, be associated with a computingenvironment and/or computing system (e.g., a system state, anapplication state) and can include contextual information (e.g., systeminternal and/or external context). As such, one or more states caneffectively define a situation in which a computing device is usedand/or a situation in which access occurs (e.g., time of the day, aparticular geographical location, number of connections used by anapplication). One or more states can be effectively used as a condition(rule or policy) to disallow access (e.g., disallow access in themornings outside of a particular building, disallow access to more thanone connection if network traffic is heavy).

In accordance with another aspect of the invention, access can beallowed by effectively considering the behavior of a component in theaggregate and/or over a determined amount of time. In other words,access decisions especially with respect to disallowing access need notbe made as atomic decision solely based on a factor at a given time.Rather, access decisions can effectively be made based on measurementsof one or more factors including one or more states over a determinedamount of time (e.g., an application session). This allows defining andenforcing useful and meaningful access policies and to some extent moreuseful and meaningful access rules and/or conditions. By way of example,a messaging application can be disallowed access to a communication portif the messaging application sends more messages than an acceptablelimit during a session or in 4 hours. Generally, access can bedisallowed based on one or more criteria or factors that may be measuredor captured over a period of time.

In accordance with yet another aspect of the invention, disallow-accesspolicies, rules and/or conditions can be defined and modified. It willbe appreciated that the disallow-access policies, rules and/orconditions can, for example, be defined and modified for example, byend-users and system administrators, allowing a customizable andflexible security environment that is more adaptable to change.

It will also be appreciated that these and other aspects of theinvention can be combined.

The invention can be implemented in numerous ways, including, forexample, a method, an apparatus, a computer readable (and/or storable)medium, and a computing system (e.g., a computing device). A computerreadable medium can, for example, include at least executable computerprogram code stored in a tangible form. Several embodiments of theinvention are discussed below.

Other aspects and advantages of the invention will become apparent fromthe following detailed description, taken in conjunction with theaccompanying drawings, illustrating by way of example the principles ofthe invention.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will be readily understood by the followingdetailed description in conjunction with the accompanying drawings,wherein like reference numerals designate like structural elements, andin which:

FIG. 1A depicts a computing environment in accordance with oneembodiment of the invention.

FIG. 1B depicts a method for (actively) maintaining current access datafor a component (or accessible component) of a computing environmentand/or computing system in accordance with one embodiment of theinvention.

FIG. 1C depicts a method for (actively) controlling access to acomponent (accessible component) of a computing system and/or computingenvironment.

FIG. 1D depicts a method for controlling access to one or morecomponents of a computing environment in accordance with anotherembodiment of the invention.

FIG. 2A depicts an active state-aware reference monitor 200 inaccordance with one embodiment of the invention.

FIG. 2B depicts a method for controlling access to a component of acomputing environment and/or computing system in accordance with oneembodiment of the invention.

FIG. 3 depicts a reference monitoring architecture compatible with thetechniques of the invention.

FIG. 4 depicts J2ME complaint computing environment in accordance withone embodiment of the invention.

DETAILED DESCRIPTION OF THE INVENTION

As noted in the background section, mobile devices are becomingincreasingly more popular. Today, wireless networks and mobilecommunication devices (e.g., Smartphones, cell phones, Personal DigitalAssistants) are especially popular. Unfortunately, however, partlybecause of this popularity, more and more malicious attacks are beingdirected to wireless networks and mobile communication devices. Inaddition, recent developments, including relatively new services (e.g.,email, file transfer and messaging), and use of common softwareplatforms (e.g., Symbian, Embedded Linux, and Windows CE operatingsystems) has made mobile communication devices relatively more exposedto malicious attacks. The exposure to malicious attacks could worsen asthe wireless networks and mobile communication devices continue toevolve rapidly. Today, wireless and/or portable communication devices(e.g., cell phones, Smartphones) can offer similar functionality as thatmore traditionally offered by Personal Computers (PCs). As a result,wireless and/or portable communication devices are likely to facesimilar security problems (e.g., worms, viruses) as those encountered inmore traditional computing environments.

Examples of the most notorious threats to cell phones include the Skull,Cabir, and Mabir worms which have targeted the Symbian operatingsystems. Generally, an MMS-based worm can start attacking initialtargets (hit-list) from the network. Each infected phone can scan itscontact list and randomly pick up members to deliver a malicious attackin the form of a message. A person can trust an incoming message due toits attractive title or seemingly familiar source and activate theattached file and unwittingly get a phone infected. The infected phonecan in turn get other phones infected, and so on. In contrast, aBlue-tooth based worm can take control of a victim phone's Blue-toothinterface and continuously scan for other Blue-tooth-enabled phoneswithin its range. Once a new target has been detected, the worm caneffectively connect to other devices and transfers a malicious messageto them, and so on.

Taking the cell phone as an example, an active cell phone typically hastwo security states: susceptible and infected. A susceptible cell phoneis not completely protected against worms and may get infected whenexposed to a specific worm (e.g., CommWarrior). An infected cell phonecan return back to the susceptible state when the user launches aprotection (e.g., the CommWarrior patch from F-Secure or Symantec)partly because the cell phone is susceptible to other worm threats.Malware has many other undesirable affects including compromising theprivacy of the users.

Generally, safety is a major concern of most modern computingenvironments including mobile computing environments. As such,controlling access to various components (e.g., resources, executablecode) of a computing environment is crucial. However, conventionalaccess monitoring techniques including the prevalent “referencemonitoring” techniques do not generally consider the state of thecomputing environment or the state associated with access, and as such,do not provide access control based on the situation or context in whichaccess is requested. Moreover, conventional reference monitoringtechniques do not provide a mechanism to effectively control access to aresource after access has been granted—access is either allowed (orgranted) or denied. It should also be noted that flexible andcustomizable security environments that allow customization and arereadily adaptable to change are not currently available.

In view of the foregoing, improved techniques for controlling access ina computing environment would be useful.

It will be appreciated that the invention pertains to improvedtechniques for controlling access in a computing environment and/orcomputing system. The techniques, among other things, can be used forreference monitoring in various computing systems (e.g., computingdevice) including those that may be relatively more susceptible tothreats (e.g., mobile phones).

In accordance with one aspect of the invention, it can be determined todisallow access that has been allowed (allowed access). Consequently,allowed access can be disallowed. In other words, permission to access acomponent can be effectively withdrawn even though access may beon-going. This means that a granted access privilege of a firstcomponent (e.g., an application program) to a second (accessible)component (e.g., a system resource) may be effectively terminated. Inaccordance with one embodiment of the invention, one or more“disallow-access” conditions (or criteria) can be considered indetermining whether to disallow allowed access. Generally, a“disallow-access” condition, rule, and/or policy can be an accesscondition (or criteria) or defined based on an access condition. It willbe appreciated that a disallow-access condition can be explicitlydefined and/or can be different that an “allow-access” condition used todetermine whether to grant permission to access. However, a set ofgeneral access condition can effectively serve as both allow-access anddisallow access where, for example, violation of an allow-accesscondition can result in disallowance of access. In another embodiment,after permission to access a component has been allowed, one or moredisallow access conditions or events can be effectively monitored inorder to determine whether to withdraw the permission to access thecomponent. As a result, allowed access to the component can bedisallowed.

In accordance with a related aspect of the invention, allowed access toa component of a computing environment and/or computing system can bedisallowed based on one or more “states.” Those skilled in the art willappreciate that a state can, for example, be associated with a computingenvironment and/or computing system (e.g., a system state, anapplication state) and can include contextual information (e.g., systeminternal and/or external context). As such, one or more states caneffectively define a situation in which a computing device is usedand/or a situation in which access occurs (e.g., time of the day, aparticular geographical location, number of connections used by anapplication). One or more states can be effectively used as a condition(rule or policy) to disallow access (e.g., disallow access in themornings outside of a particular building, disallow access to more thanone connection if network traffic is heavy).

In accordance with another aspect of the invention, access can beallowed by effectively considering the behavior of a component in theaggregate and/or over a determined amount of time. In other words,access decisions especially with respect to disallowing access need notbe made as atomic decision solely based on a factor at a given time.Rather, access decisions can effectively be made based on measurementsof one or more factors including one or more states over a determinedamount of time (e.g., an application session). This allows defining andenforcing useful and meaningful access policies and to some extent moreuseful and meaningful access rules and/or conditions. By way of example,a messaging application can be disallowed access to a communication portif the messaging application sends more messages than an acceptablelimit during a session or in 4 hours. Generally, access can bedisallowed based on one or more criteria or factors that may be measuredor captured over a period of time.

In accordance with yet another aspect of the invention, disallow-accesspolicies, rules and/or conditions can be defined and modified. It willbe appreciated that the disallow-access policies, rules and/orconditions can, for example, by end-users and system administrators,allowing a customizable and flexible security environment that is moreadaptable to change.

It will also be appreciated that these and other aspects of theinvention can be combined.

Embodiments of these aspects of the invention are discussed below withreference to FIGS. 1A-4. However, those skilled in the art will readilyappreciate that the detailed description given herein with respect tothese figures is for explanatory purposes as the invention extendsbeyond these limited embodiments.

FIG. 1A depicts a computing environment 100 in accordance with oneembodiment of the invention. Referring to FIG. 1A, an active accesscontrol (or controlling) system 102 can be operable to effectivelycontrol access to one or more accessible components 106 of the computingenvironment 100. As such, the active access control system 102 can allowand/or disallow a first component 104 to access an accessible component106. As a component of the computing environment 100 that can beaccessed, the accessible component 106 can, for example, be a resource(e.g., a file, an object, a connection), a program (e.g., an applicationprogram), and so on. The first component 104 can, for example, be anapplication program, an object trying to access another program, objectand/or resource, and so on. In general, the first component 104 is acomponent of the computing environment 100. The first component 104 maybe operable to effectively attempt and/or request to access anothercomponent of the computing environment 100 that can be accessed (anaccessible component). Similarly, the first component 104 can also be acomponent of the computing environment 100 that can be accessed.Accessing the accessible component 106 can normally include anyoperation that can be performed on or by a component (e.g., reading,writing, communicating, sending and/or receiving data).

It should be noted that the active access control system 102 can, forexample, be provided as a component of a computing system (e.g., acomputing device). As such, the active access control system 102 can,for example, be provided for a Personal Computer (PC, a mobile device, acell phone). As will be described below and appreciated by those skilledin the art, the active access control system 102, can, for example, beprovided as a reference monitoring system (or a reference monitor) for acomputing system and/or computing environment.

As noted above, the active access control system 102 can be operable tocontrol access to an accessible component 106. More particularly, theactive access control system 102 can effectively provide an activeaccess monitor 105 (e.g., a reference monitor, or reference monitoringsystem or component) that is operable to disallow access to theaccessible component 106. The active access monitor 105 can be operableto determine whether one or more “disallow-access conditions” 108 aremet after access to the accessible component 106 has been allowed. Inother words, the active access monitor 105 can be operable toeffectively withdraw permission to access the accessible component 106which may have been granted to the first component 104 by the activeaccess monitor 105 and/or another system or component (not shown).

Typically, the active access monitor 105 can also be operable toeffectively determine whether to allow the first component 104 to accessthe accessible component 106. In other words, the active access monitor105 can be operable to first determine whether to allow the firstcomponent 104 to access the accessible component 106 based on one ormore allow-access conditions that can, for example, be provided asallow-access data 110, as well as being operable to withdraw thepermission to access the accessible component 106.

Those skilled in the art will appreciate that an allow-access and adisallow-access condition can be effectively the same condition, policy,rules, event, and so on. In other words, an allow-access condition can,for example, be defined as allow-access: “if condition X is met”. Inthis example, a disallow-access condition can be implicitly defined asdisallow-access “if condition X is not true (any more)”. However,generally, disallow-access conditions can be independent and/orindependently defined from allow-access conditions. As such, adisallow-access condition can, for example, be defined as“(disallow-access if condition Y is met) or (if condition X and Y), or(X and/or Y) are met”. Therefore, a disallow-access condition 108 can,for example, be met when one or more access conditions (policies and/orrules) 110 are effectively violated. More generally, a disallow-accesscondition 108 can be defined based on one or more allow-accessconditions, policies and/or rules for allowing access to the accessiblecomponent 106.

However, a disallow-access condition 108 can be different than one ormore allow-access conditions 110 defined for the same accessiblecomponent 106. More generally, a disallow access condition 108 can beexplicitly defined for disallowing access to accessible componentsincluding the accessible component 106 individually, in groups, or as awhole.

The active access monitor 105 can be operable to effectively monitor oneor more access conditions (e.g., allow-access condition, disallow-accesscondition) in order to determine whether to effectively withdraw thegrant of permission to access the one or more accessible components. Forclarity, such access conditions are referred to as “disallow-accessconditions”. But it should be apparent that they can be anaccess-condition. Those skilled in the art will readily appreciate thata disallow-access condition 108 can, for example, be defined based onone or more variables associated with the computing environment 100.Moreover, a variable can include a state variable associated with astate of the computing environment 100, as will be described in greaterdetail below. Furthermore, it will be appreciated that the active accesscontrol system 102 can receive input for defining access conditionsincluding disallow-access conditions. The input can explicitly and/orimplicitly define a disallow-access condition.

The active access monitor 105 can, for example, be operable toeffectively detect a change in the value of one or more variables usedto define an access condition (e.g., a disallow-access condition 108)after access to the accessible component 106 has been allowed. By way ofexample, if an access condition 108 is defined to allow access “if avariable X (e.g., a current location) is within a determined range(e.g., within one mile radius of a determined geographical location),”after access to accessible component 106 has been granted, the activeaccess monitor 105 can detect a change in variable X (e.g., a change incurrent location) and consequently evaluate (or reevaluate) the accesscondition 108 in order to determine whether to effectively withdraw thepermission to access the accessible component 106. In this example, adisallow-access condition may, for example, be defined to disallowaccess after 5 pm. Consequently, permission to access may be disallowedeven if the current location has not changed and it still acceptable.

The active access monitor 105 can be operable to compare the currentvalues of one or more variables including state variables of thecomputing environment 100 to a set of acceptable and/or unacceptablevalues in order to allow and/or disallow access to the accessiblecomponent 106.

In general, the active access monitor 105 can actively monitor andmaintain “active-access” data 107 in order to determine whether toeffectively withdraw permission to access the accessible component 106.It should be noted that the first and second components 104 and 106 canbe operating on the same device and/or operating in the same device asthe active access control system 102. However, the active access controlsystem 102 can operate on or as a different system (or device) toeffectively control access to an accessible component provided foranother system or device. As such, the first component 104 may beoperating on a different system or device than the systems or deviceswhere the active access control system 102 and/or the accessiblecomponent 106 operate.

FIG. 1B depicts a method 120 for (actively) maintaining current accessdata for a component (or accessible component) of a computingenvironment and/or computing system in accordance with one embodiment ofthe invention. Method 120 can, for example, be performed by the activeaccess monitor 105 depicted in FIG. 1A. Referring to FIG. 1B, initially,it is determined (122) whether access to a component has been allowed.In effect, the method 120 can wait to determine (122) that access to acomponent has been allowed. If it is determined (122) that access to thecomponent has been allowed, current access data for the component isdetermined (124). It should be noted that access data can effectivelyindicate and/or be evaluated to determine whether to disallow accessthat has been allowed to the component. By way of example, determining(124) of current access data can include maintaining and/or updatingaccess data including obtaining (e.g., receiving, measuring,determining) the current values of one or more variables thateffectively define a disallow-access criterion (or condition, policy,rule, and/or event).

After current access data has been determined (124), it is determined(126) whether access to the component has been disallowed or ended.Referring back to FIG. 1B, access can end, for example, as a result ofthe accessing component and/or the accessible component being no longeroperable and/or active (e.g., not executing). If it is determined (126)access to the component has been disallowed or ended, the method 120ends. However, if it is determined (126) that access to the componenthas not been disallowed and has not ended, the method 120 proceeds todetermine (124) current access data for the component. In effect, themethod 120 can keep monitoring and/or updating access data (includingdisallow-access data) so long as access has not ended or has not beendisallowed, thereby effectively monitoring access to the componentactively or continually after access has been allowed. Moreover, thecurrent access data can be used to determine whether to disallow accessthat has been allowed to a component, thereby allowing access to thecomponent to be actively or continually controlled.

To further elaborate, FIG. 1C depicts a method 150 for (actively)controlling access to a component (accessible component) of a computingsystem and/or computing environment. The method 150 can, for example, beperformed by the active access monitor 105 depicted in FIG. 1A.Referring to FIG. 1C, initially, current access data for a componentthat can be accessed (accessible component) is obtained (152) afteraccess to the accessible component has been allowed. It should be notedthat the current access data can effectively indicate to disallow (orwhether to disallow) access that has been allowed (or granted) to thecomponent. The current access data can, for example, be maintained in anactive manner after access has been allowed to the component in asimilar manner as the method 120 depicted in FIG. 1B. Referring back toFIG. 1C, after the current access data has been obtained (152), allowedaccess can be disallowed (154) as effectively indicated by the currentaccess data. Those skilled in the art will readily appreciate thatmethods 120 and 150 (respectively depicted in FIGS. 1B and 1C) can becombined and/or effectively performed by a single component or system(e.g., active access monitor 105 depicted in FIG. 1A).

FIG. 1D depicts a method 170 for controlling access to one or morecomponents of a computing environment in accordance with anotherembodiment of the invention. The method 170 can, for example, beperformed by the active access monitor 105 depicted in FIG. 1A.Referring to FIG. 1D, initially, it is determined whether access to oneor more accessible components has been allowed (172). In effect, themethod 170 can wait for a determination (172) that access to one or moreaccessible components has been allowed. If it is determined (172) thataccess to one or more accessible component has been allowed, one or moreconditions for disallowing access to the one or more accessiblecomponents are monitored (174). As noted above, a condition fordisallowing access can, for example, be explicitly defined as a disallowaccess condition and/or be defined implicitly based on an allow-accesscondition. In any case, based on the monitoring (174) of one or moreconditions (disallow-access conditions), it can be determined whether adisallow access condition has been met. If it is determined (176) that adisallow-access condition has been met, appropriate action can be takento effectively cause the disallowance of access to the one or moreaccessible components before the method 170 ends.

On the other hand, if it is determined (176) that a disallow-accesscondition has not been met, it is determined (178) whether toeffectively end the monitoring of the disallow-access condition(s). Byway of example, it can be determined (178) whether the component thathas been allowed access (or accessing component) is no longer active andthus incapable of accessing the accessible component and/or whether theaccessible component is on longer active and/or inaccessible. If it isdetermined (178) to end monitoring of the one or more conditions fordisallowing access (disallow-access condition), the method 170 ends.However, if it is determined not to end monitoring of the one or moreconditions for disallowing access, the method 170 proceeds to determine(176) whether the disallow-access condition has been met for disallowingaccess to the one or more accessible components. In effect, method 170can continue to monitor (174) one or more conditions for disallowingaccess and reevaluate one or more disallow-access conditions, policies,and/or rules to determine whether to disallow access to the one or moreaccessible components.

As noted above, the active access monitor 105 (depicted in FIG. 1A) can,for example, include a reference monitoring system or a referencemonitor in accordance with one embodiment of the invention. In addition,a disallow access condition can include and/or be based on one or morestate variables associated with a computing system and/or computingenvironment.

To further elaborate, FIG. 2A depicts an active state-aware referencemonitor 200 in accordance with one embodiment of the invention.Referring to FIG. 2A, a state-based access policy manager 202 isoperable to effectively control access to one or more accessiblecomponents 204. The accessible components 204 can, for example, be oneor more resources including an operating system, as will be known tothose skilled in the art. One or more components 206 can effectivelyattempt and/or request to access one or more of the accessiblecomponents 204. By way of example, one or more component 206 can be oneor more application programs (or applications) attempting to access oneor more files, connections and/or services of a computing device bymaking one or more system calls provided by an operating systemoperating on the computing device (e.g., a PC, a cell phone).

The state-based access policy manager 202 is operable to allow acomponent 206 to access a component 204. Moreover, the state-basedaccess policy manager 202 is operable to disallow access to thecomponent after access has been allowed even though the component 206may still be active and/or still accessing or trying to access thecomponent 204. It will also be appreciated that the state-based accesspolicy manager 202 can effectively make decisions regarding allowanceand/or disallowance of access based on one or more state-basedconditions, policies and/or rules stored as state configuration 210.Generally, a state-based condition, policy, and/or rule 210 can includeand/or be effectively defined based on one or more state variableassociated with a computing environment and/or computing system. A statemonitor 212 can effectively monitor the state variables and provide thestate-based access policy manager with the current value of thevariables to effectively allow the state-based access policy manager 202to make informed decisions regarding allowance and/or disallowance ofaccess based on one or more state variables associated with one or moreconditions, policies, and/or rules defined for allowance and/ordisallowance of access to one or more components 204. It should be notedthat the conditions, policies, and/or rules 210 can be effectivelydefined based on input provided by a person 214 who can interact with aUser Interface (UI) in order to explicitly and/or implicitly define onestate-based access rule. It should also be noted that the state-basedaccess policy manager 202 and the state monitor 212 can collectively andeffectively monitor one or more state-based conditions, policies, and/orrules including a state-based disallow-access condition, policy and/orrule defined for disallowing access to one or more components 204. Thismonitoring can, for example, be performed when a component 206 isaccessing one or more of the accessible components 204, when thecomponent 206 is executing and/or is active, and when the component 206is not requesting to access the one or more components 204. Determiningwhether a disallow-access condition is met or has been met can be basedon determining whether state access data (or state data) has beenmodified after permission to access an accessible components 204 hasbeen granted, thereby allowing access to be actively controlled. Statedata can, for example, be stored with the state configuration 210 orseparately as state data 211 as depicted in FIG. 2A. By way of example,state data stored as state configuration 210 can include stored state ofa state variable when access was allowed. The state configuration data210 can define an acceptable range for the state variable change. Achange of value of the state variable with respect to the stored valuecan result in determining whether the current value of the statevariable is within the acceptable range. A state variable can, forexample, be a current geographical location of a computing device. Thecurrent geographical location can be effectively monitored by the statemonitor 212. If change in the location is detected after access has beenallowed, then a disallow-access condition or rule can be effectivelyevaluated in order to determine whether to disallow access to a resource204 even though access may be on-going. As such, access to a resource204 can, for example, be disallowed when the state monitor 212 detects achange in a geographical location which is beyond an acceptable rangedefined by an access condition, policy, or rule. Generally, thestate-based access policy manager 202 and state monitor 212 cancollectively and effectively monitor access to one or more accessiblecomponents 204 after access to them has been granted. The monitoring caninclude monitoring one or more access states including one or moreaccess state variables and/or parameters associated with a computingenvironment and/or computing device. Access state data 211 (or statedata) can, for example, include one or more of the following: componentdata associated with one or more accessible components 204 and/or one ormore components 206, one or more component states associated with statesof the components 206 and/or the accessible components 204, contextualdata associated with one or more contextual variables of a computingenvironment and/or computing system. Internal contextual data associatedwith one or more internal contextual variables that are internal to acomputing environment and/or computing system and external contextualdata associated with one or more external contextual variables that areexternal to a computing environment and/or computing system. Contextualdata and/or a contextual variable can, for example, be determined basedon one or more internal and/or usable components of a computing system,one or more internal factors and/or elements which are internal orexternal to a computing system, an environmental factor and/or element,an environmental factor and/or element associated with one or morehumans interacting with one or more active applications on saidcomputing system, environmental context of use associated with anenvironment of one or more humans as they interact with one or moreactive applications on a computing system, a geographical and/orphysical factor and/or element, time, date, location, mode, mode ofoperation, condition, event, speed and/or acceleration of movement,power and/or force.

It should also be noted that the state-based access policy manager 202can be operable to obtain (e.g., retrieve, receive, determine) one ormore state-based access conditions, policies and/or rules from the stateconfiguration 210 and/or another source (not shown) to disallow accessto one or more accessible components 204.

FIG. 2B depicts a method 250 for controlling access to a component of acomputing environment and/or computing system in accordance with oneembodiment of the invention. Method 250 can, for example, be performedby the active state-aware reference monitor 200 depicted in FIG. 2A.Referring to FIG. 2B, initially, it is determined (252) whether a firstcomponent is attempting and/or requesting to access an accessiblecomponent of the computing environment and/or computing system. Ineffect, the method 250 can wait for a determination (252) that acomponent is attempting and/or requesting to access an accessiblecomponent. If it is determined (252) that the first component isattempting and requesting to access an accessible component, one or morestate-based access rules (policies or conditions) for accessing theaccessible component are obtained (254). The one or more state-basedaccess rules can effectively define one or more access rules for bothallowing and disallowing access to the accessible component. Astate-based access rules can, for example, be defined for the componentthat effectively attempts and/or requests to access the accessiblecomponent. An access rule can also be defined based on the accessiblecomponent. In any case, one or more current values for one or more statevariables of the state-aware rules can be obtained (256) for the one ormore state-based access rules. By way of example, if the state-basedaccess rule is defined based on a geographical location as a statevariable, the current value of the state variable, namely, the currentgeographical location can be obtained (256). Based on the current valueof one or more state variables, the one or more state-based access rulescan be evaluated (258) to effectively determine whether to allow thefirst component to access the accessible component. Accordingly, it isdetermined (260) whether to grant access permission to the firstcomponent for accessing the accessible component. If it is determined(260) not to grant (or deny) the first component permission to accessthe accessible component, the method 250 ends. However, if it isdetermined (260) to grant access permission to the first component,permission to access the first component is granted (262) and monitoringof the one or more state variables are initiated (262). These statevariables can be the same state variables for determining whether togrant permission to the first component and/or they can be one or moredifferent variables.

Generally, the one or more state variables that are effectivelymonitored (262) can pertain to one or more disallow access rules,policies and/or conditions. The rules, policies and/or conditions can bethe same or similar to the rules, policies and/or conditions defined forallowing access. As such, the one or more state variables beingmonitored can be the same state variables used to evaluate whether topermit access to the accessible component in the first place. By way ofexample, the same geographical location used to determine whether toallow access to an accessible component can be monitored in order todetect an effective violation of an access rule, such as, moving acomputing device outside a determined (acceptable) geographical area.However, it should be noted that monitoring (262) of the state variablescan, additionally or in the alternative, include monitoring a completelydifferent set of state variables including, for example, time, networktraffic, number of network connections being used in general or used bya specific accessing component, and so on. Referring back to FIG. 2B,the current values of the one or more state variables are obtained(264). Thereafter, based on the current values of the one or more statevariables, it is determined (266) whether to effectively withdraw thepermission to access the accessible component (266). By way of example,one or more state-based rules defining the initial access condition canbe reevaluated based on the current values of the one or more statevariables. This reevaluation can, for example, be performed when achange in the value of a monitored state variable is detected withrespect to a stored value (e.g., a value stored when access wasinitially granted). If it is determined (266) to effectively withdrawthe permission to access the accessible component, the permission toaccess the accessible component can be effectively withdrawn (268) toprevent the first component from further accessing the accessiblecomponent and the method 250 ends.

On the other hand, if it is determined (266) not to withdraw thepermission to access the accessible component, it can effectively bedetermined (270) whether permission to access has terminated normally.The permission to access can be terminated normally (or end), forexample, when the first component is no longer active (e.g., notexecuting) and/or the accessible component is no longer accessible. Ifit is determined (270) that the permission to access has terminatednormally, monitoring of the one or more state variables and the method250 can both end. However, if it is determined (270) that the permissionto access the accessible component has not terminated normally, thecurrent values of the one or more state variables is obtained (268) andit is determined (266) whether to withdraw the permission to access theaccessible component. In effect, the method 250 can continue to monitorthe one or more state variables needed to determine whether to disallowaccess of the components until it is determined (266) to withdraw thepermission to access or it is determined (270) that permission to accesshas terminated normally.

As noted above, an active state monitor 105 (depicted in FIG. 1A) can bea reference monitoring system or a reference monitor. FIG. 3 depicts areference monitoring architecture compatible with the techniques of theinvention. Those skilled in the art will readily appreciate that variousaccess control or reference monitoring techniques can be utilized inaccordance with the invention as no assumptions need to be maderegarding the specific architecture or techniques used for providingaccess control or reference.

Furthermore, those skilled in the art will readily know and appreciatethat a state-aware reference monitor can, for example, be provided as acomponent of an Operating System (OS) (e.g., SELinux) and/or Middleware(e.g., Java Virtual Machine (JVM) in accordance with various embodimentsof the invention. The state-aware reference monitor can, for example,effectively determine whether to allow a process or an application toaccess one or more specific objects (e.g., files, network connections,devices), as well as effectively determining whether to allow theprocess or application to access general system resources via, forexample, a system call or an Application Programming Interface (API).

Moreover, a state-aware reference monitor provided in accordance withthe invention need not merely enforce rules and/or policies definedbased on static labels or static permissions but it can effectivelycheck the permitted permissions actively or on a continued basis toensure that an access policy has not been violated and/or enforcedisallowance rules or policies.

Unlike conventional techniques, access decisions need not be made solelybased on an access request or on a request by request basis where theremay not be an effective way to control access after it had been grantedeven though there may be critical state changes. Rather, accessdecisions can also be made based on monitoring various states of acomputing device and/or computing environment to actively or continuallycontrol access.

In other words, access (or security) decisions need not made only at theaccess request point, but they can be made after access is or has beengranted to, among other things, support a “session-aware” access controlmechanism that can make access decision based the effective behavior ofan accessing component during a determined time (or session). Thisbehavior can be measured based on various state variables. For example,the number of network connections used and/or traffic generated by anapplication in a given period of time can be considered and access tovarious networking resource can be effectively withdrawn if the numberof network connections or traffic generated is deemed unacceptable. Inaddition to disallowing access, the execution of an application may beterminated if its behavior measured based on one or more stateconditions (or variables) are not deemed acceptable.

Those skilled in the art will also appreciate that various kinds andforms of system states and application states can be considered.Furthermore, the states, state-based rules, state-based conditions,and/or state-based policies can be defined and configured by end-userson an individual basis as a group, or as a whole, for example, by asystem administrator, allowing customization of the securityrequirements for individuals, groups, and so on. It should be noted thatthe states, state-based rules, state-based conditions and/or state-basedpolicies can, for example, be changed, modified and/or updated byend-users and/or administrators providing the ability to adapt to changein flexible and customizable security environment.

Still further, it will be appreciated that numerous other advantages canbe realized. As an example, fine-grained control of application behaviorcan be realized by, for example, providing context-aware and/orlocation-aware security in contrast to conventional reference monitoringsystems including, for example, the Mobile Information Device Profile(MIDP) security framework in J2ME. As generally known in the art, MIDPis a specification published for the use of Java on embedded devicessuch as mobile phones and PDAs. MIDP is part of the Java Platform, MicroEdition (Java ME) framework and can use a Connected Limited DeviceConfiguration, a set of lower level programming interfaces. As anotherexample, an ongoing communication can be effectively terminated if astate-based security condition, rule, or policy is violated. As yetanother example, use of a resource (or resource usage) can be controlledto, for example, effectively control network bandwidth used by aparticular application.

As still another example, a storage source (e.g., persistent storage)can be shared between applications in a controlled manner based on oneor more states, state-based rules, state-based conditions, and/orstate-based policies. In particular, this controlled sharing caneffectively isolate persistent storages to address more recent threatsto security of computing devices as will be appreciated by those skilledin the art.

In contrast to conventional techniques, reference monitoring need not besolely dependent and end solely based on atomic permission checks (e.g.,send or do not send a SMS or MMS, allow or do not allow a phone call tobe made, allow or do not allow UMTS connection or TCP connection). Suchatomic checks do not rely on application history that can be capturedwith respect to various states (e.g., total network traffic used in aday, maximum number of MMS messages sent this week). It will beappreciated that application history can be considered and effectivelyused to make access decisions including disallowing access based on oneor more states in accordance with the invention.

In addition, states being considered in making these access decisionscan include contextual information. The contextual information can, forexample, be used for: location-based rules (e.g., access allowed onlywith a particular geographical range, or access disallowed inside oroutside of a geographical range), time-based rules (e.g., disallow agame application from sending SMS during peak time), system-based rules(e.g., can only access UMTS while (or so long as) no other concurrentconnections are made).

The techniques of invention, among other things, can extend the J2MEsecurity model and architecture to provide a state-aware securitypolicy, as will be appreciated by those skilled in the art. To furtherelaborate, FIG. 4 depicts J2ME complaint computing environment 400 inaccordance with one embodiment of the invention. Referring to FIG. 4,one or more Java programs for embedded devices machine (“MIDIet's”) 401can be supported by a K virtual machine (KVM). As generally known in theart, a KVM can be a virtual machine developed by Sun Microsystems,derived from the Java virtual machine (JVM) specification. Typically, aKVN is provided for smaller and/or embedded devices and supports asubset of the features of the JVM. A state-based security checkcomponent 402 can effectively enforce state-based access (includingdisallow-access) policies, conditions and/or rules stored in the stateconfiguration 404. The state-based security check component 402 caneffectively enforce state-based access policies, conditions and/or rulesbased on the monitoring of the states (or state variables) performed bythe state monitor 406.

An access policy manager (or policy manager) 408 can be effectively usedto define and modify access policies, conditions and/or rules. Thoseskilled in the art will readily appreciate that the state-based securitycheck component 402, state configuration 404, state monitor 406, andpolicy manager 408 can, for example, be provided as new “classes” in theframework of the J2ME.

More particular, in addition to a MIDP permission domain check, a“SecurityToken” class can invoke a state-based security check queryingthe current runtime state of a MIdIet 401.

The state monitor 406 can obtain application and system informationpertaining to various state and runs a “state-transition logic” 410(e.g., a Finite State Machine (FSM)). The state-based security check canquery the state information and based on an access policy, conditionand/or rule to make a state-based access decision. This state-basedaccess decision can be effectively combined with a MIDP permission checksuch that access can be allowed if both the state-based access decisionand MIDP permission check allow it.

The policy manager 408 can provide an interface for user and/or serviceprovider to allow defining various states associated with the Midlets401. By way of example, states can be monitored and reported basedequipped sensors, overall system state, the resource usage status of thea MIdIet 401, and so on.

The various aspects, features, embodiments or implementations of theinvention described above can be used alone or in various combinations.The many features and advantages of the present invention are apparentfrom the written description and, thus, it is intended by the appendedclaims to cover all such features and advantages of the invention.Further, since numerous modifications and changes will readily occur tothose skilled in the art, the invention should not be limited to theexact construction and operation as illustrated and described. Hence,all suitable modifications and equivalents may be resorted to as fallingwithin the scope of the invention.

What is claimed is:
 1. A computing system to make state-aware securitydecisions, comprising: an active state-aware reference monitorincluding: a state-based access policy manager component operable to:receive input that effectively defines one or more state-based accessconditions and/or rules for allowing and/or disallowing access to one ormore accessible components; generate based on said input one or morestate-based access conditions and/or rules that include one or morestate variables associated with said computing environment; and a statemonitor operable to monitor said one or more state variables; the activestate-aware reference monitor operable to perform state-based securityaccess policies to control access to said one or more accessiblecomponents of a computing environment by: determining whether one ormore state-based disallow-access conditions for disallowing access tosaid one or more accessible components are met after access to said oneor more accessible components has been allowed to effectively grantpermission to access said one or more accessible components; anddetermining to disallow access to said one or more accessible componentswhen said determining determines that said one or more state-baseddisallow-access conditions have been met, thereby allowing saidpermission to access said one or more accessible components to beeffectively withdrawn if said one or more disallow-access condition aremet.
 2. The computing system of claim 1, wherein one or more of thefollowing are true: wherein said one or more state-based disallow-accessconditions are met when one or more access conditions and/or rules forallowing access to said one or more accessible components have beenviolated, and wherein said one or more state-based disallow-accessconditions are defined based on one or more allow-access conditionsand/or rules for allowing access to said one or more accessiblecomponents.
 3. The computing system of claim 1, wherein one or more ofthe following are true: wherein said one or more state-baseddisallow-access conditions are different than one or more allow-accessconditions and/or rules defined for allowing access to said one or moreaccessible components, and/or wherein said one or more state-baseddisallow-access conditions are explicitly defined for disallowing accessto said one or more accessible components.
 4. The computing system ofclaim 1, wherein said active state-aware reference monitor is furtheroperable to: effectively monitor said one or more state-baseddisallow-access conditions to determine whether said one or morestate-based disallow-access conditions are met.
 5. The computing systemof claim 1, wherein said active state-aware reference monitor providessession-aware access control based on the state variables; and whereinactive access monitoring component is further operable to: detect achange in the values of said one or more variables after access to saidone or more accessible components has been allowed.
 6. The computingsystem of claim 1, wherein said active state-aware reference monitor isfurther operable to: compare the current values of said one or morevariables in an active session to unacceptable values of said one ormore variables defined for disallowing access.
 7. The computing systemof claim 5, wherein said one or more variables include one or more statevariables associated with said computing environment including locationof a computing device of the computing system.
 8. The computing systemof claim 1, wherein state-based access decisions are combined withstate-based permission checks.
 9. The computing system of claim 8,wherein said computing device is and/or includes a mobile device. 10.The computing system of claim 9, wherein said mobile device is one ormore of the following: a mobile phone, a smart phone, a Personal DigitalAssistant.
 11. The computing system of claim 1, wherein said referencemonitor controls access to resources of an operating system of saidcomputing device.
 12. The computing system of claim 1, wherein said oneor more disallow-access conditions are defined by one or moreallow-access conditions for allowing access to said one or moreaccessible components.
 13. The computing system of claim 1, furthercomprising: a state configuration storage that stores said one or moreone or more state variables; wherein said access policy managercomponent is operable to store said one or more state-based accessconditions and/or rules in said state configuration storage; and whereinsaid state monitor is operable to access said state configurationstorage and obtain said one or more state-based access conditions and/orrules in order to determine said one or more state variables to monitor.14. The computing system of claim 1 wherein said computing systemreceives an input via a User Interface (UI) from a person, therebyallowing said person to effectively define said one or more state-basedaccess conditions and/or rules for accessing said accessible component.15. The computing system of claim 13, wherein said determining ofwhether to disallow access to said one or more accessible componentscomprises: determining whether to disallow said first component fromaccessing said one or more components based on access data that has beenmodified after said accessing allows said first component to access saidsecond component, thereby allowing access to be actively controlledand/or monitored after access has been allowed.
 16. The computing systemof claim 1, wherein said disallow-access conditions are based onmeasurements of one or more factors taken over a period of time.
 17. Thecomputing system of claim 16, wherein said one or more factors includeand/or are based on one or more states variables.
 18. The computingsystem of claim 1, wherein said one or more factors include and/or arebased on one or more states variables including at least one ofaccessing one or more application programs and exceeding a predeterminednumber of connections.
 19. A method of controlling access to one or moreaccessible components of a computing environment, wherein said methodcomprises: monitoring, using an active state-aware reference monitor,one or more state-based disallow-access conditions after permission toaccess said one or more accessible components has been granted, whereineach state-based disallow-access condition defines a condition for astate variable associated with said one or more accessible components,and wherein allowed access to said one or more accessible components isdisallowed when at least one of said state-based disallow-accessconditions has been met, and; determining, based on said monitoring ofsaid one or more state-based disallow-access conditions, whether atleast one of said one or more disallow-access conditions has been met;and withdrawing said permission to access said one or more accessiblecomponents when at least one of said one or more state-baseddisallow-access conditions has been met.
 20. The method of claim 19,wherein said method further comprises one or more of the following:generating an indication that effectively indicates to disallow allowedaccess to said one or more accessible components; disallowing allowedaccess to said one or more accessible components when said determiningdetermines to disallow access to said one or more accessible components;and causing allowed access to said one or more accessible components tobe disallowed when said determining determines to disallow access tosaid one or more accessible components.
 21. The method of claim 19,wherein: said allowed access allows a first component to access said oneor more accessible components; and said first component is disallowedfrom accessing said one or more accessible components when said allowedaccess is disallowed.
 22. The method of claim 21, wherein saidmonitoring of said one or more disallow-access conditions is performedwhen one or more of the following are true: said first component isaccessing said one or more accessible components; said first componentis executing and/or is active; and said first component is notrequesting access to said one or more accessible components.
 23. Themethod of claim 22, wherein: said one or more accessible componentsinclude one or more of the following: one or more resources, one or moresystem calls, one or more files, one or more objects, one or moreconnections, one or more networks connections, on or more applications,one or more MIDlets, one or more modules, one or more functions, and oneor more procedures; and said first component includes one or more of thefollowing: one or more programs, one or more application programs, oneor more objects, one or more MIDlets, one or more modules, one or morefunctions, and one or more procedures.
 24. The method of claim 19,wherein said active state-aware reference monitor provides session-awareaccess control based on monitoring state variables and said methodfurther comprises determining of whether said one or moredisallow-access conditions are met is made based on access data that hasbeen modified after said after permission to access said one or moreaccessible components has been granted, thereby allowing access to beactively controlled.
 25. The method of claim 24, wherein: access dataincludes state data associated with said computing environment; and saidmethod further comprises: detecting a change in said state dataassociated with allowing and/or disallowing access to said one or morecomponents.
 26. The method of claim 19, further comprising one or moreof the following: effectively monitoring access to said one or morecomponents after access to said one or more components has been granted;and effectively monitoring one or more access states including one ormore state variables and/or parameters associated with said computingenvironment.
 27. The method of claim 26, wherein: said access dataincludes state data associated with one or more states of said computingenvironment; and said method further comprises: detecting a change insaid state data.
 28. The method of claim 27, wherein said method furthercomprises: maintaining and/or modifying said state data after access tosaid one or more accessible components is allowed.
 29. The method ofclaim 28, wherein said maintaining and/or modifying are performed whensaid one or more accessible components are being accessed.
 30. Themethod of claim 29, wherein said state data includes one or more of thefollowing: components of said computing system, and/or one or morecomponents accessing and/or attempting to access said one or moreaccessible components; one or more component states associated withstates of one or more components of computing environment; contextualdata associated with one or more contextual variables associated withsaid computing environment; internal contextual data associated with oneor more internal contextual variables external to said computingenvironment; and external contextual data associated with one or moreexternal contextual variables external to said computing environment.31. The method of claim 19, wherein said computer-implemented methodfurther comprises: obtaining one or more state-based access rulesdefined based one or more state variables for allowing and/ordisallowing access to said one or more accessible components; anddetermining based on said one or more state-based access rules whetherto allow and/or disallow access.
 32. The method of claim 31, whereinsaid computer-implemented method further comprises: defining and/ormodifying one or more access rules based on input.
 33. The method ofclaim 32, wherein said input is effectively provided by and receivedfrom a user.
 34. A method of providing an active state-aware referencemonitor for a computing system, wherein said computer-implemented methodcomprises: determining that a first component of said computing systemis requesting and/or attempting to access an accessible component ofsaid computing system; obtaining one or more state-based access rulesfor accessing said accessible component, wherein said one or morestate-based access rules include one or more state variables associatedwith said computing system; obtaining current values of said one or morestate variables; determining based on said one or more current valueswhether to grant said first component access to said accessiblecomponent; granting said first component permission to access saidaccessible component when said determining determines to grant access tosaid accessible component; initiating monitoring of said one or morestate variables when said first component is granted access to saidaccessible component; determining based on said monitoring whether towithdraw said permission to access said accessible component; andwithdrawing said permission to access said accessible component, therebyeffectively preventing said first component from further accessing saidaccessible component; wherein session-aware access control is providedbased on the state variables.
 35. The method of claim 34, wherein saidcomputer-implemented further comprises one or more of the following:terminating said monitoring of said one or more state variables whensaid first component becomes inactive and/or incapable of accessing saidaccessible component; and receiving from a first component of saidcomputing system a request to access a second component of saidcomputing system.
 36. The method of claim 34, wherein said monitoringcomprises: detecting a change in at least one of said one or more statevariables; and determine whether said change to said at least onevariable is acceptable; thereby effectively reevaluating said rule. 37.A non-transitory computer readable medium including executable programcode embodied in a tangible form for an active state-aware referencemonitor controlling access to one or more components of a computingenvironment and/or system, wherein said computer readable mediumincludes: computer program code for monitoring one or more state-baseddisallow-access conditions after permission to access said one or moreaccessible components has been granted, wherein each state-baseddisallow-access condition defines a condition for a state variableassociated with said one or more accessible components, and whereinallowed access to said one or more accessible components is disallowedwhen at least one of said state-based disallow-access conditions hasbeen met; computer program code for determining whether at least one ofsaid one or more state-based disallow-access conditions has been met;and computer program code for withdrawing said permission to access tosaid one or more accessible components when at least one of said one ormore state-based disallow-access conditions has been met.